a SharePoint Administrator's Blog

Main menu

Post navigation

I have been working on an issue for several weeks now together with Microsoft Support to investigate a case where the Check Permissions function in SharePoint 2013 is not returning correct information for several users.

Let me first describe the exact situation.

We have a site collection with a standard team site template. We have setup the default SharePoint groups for defining access, such as the Visitors, Members and Owners groups. In these groups we are adding Active Directory groups. Pretty straight forward so far. As is expected, Active Directory users that are members of the added Active Directory groups have access to the SharePoint team site. No problem there. Those same users can do all actions that have been defined by the permissions as well.

So in normal circumstances, when we want to check the permissions for a user in a specific document library, we would expect something like the image below

Well, in my case the permission levels returned was “None” even though the user was a member of the “Team Members” group.

To make a long story short, the issue turned out to be caused by SidHistory. The customer had previously migrated its Active Directory users and groups to a new domain and used SidHistory during the migration. After the migration, these sidhistory attributes were not cleaned up properly by the Active Directory team.

Now, SharePoint does not behave well if you still have groups that have SidHistory attributes specified on them because SharePoint tries to resolve these SID’s which may not be possible anymore because the domain the original SIDD belongs to is no longer available. In this case SharePoint gives up on the call. Unfortunately no error message is returned is generated so no error is returned. Instead SharePoint shows “None” as the permission level as it did not receive a correct answer to the group membership resolution

Now to be sure that you are not experiencing the same issue, you need to verify all groups that the user you are having the same issue with is a member of and make sure that the sidhistory attribute is cleared. Also check nested group membership.

Hope this helps anyone.

For my customer’s case the issue was classified as a bug in SharePoint 2013

This powershell script allows for enumeration through a SharePoint 2010 web application to identify all sites, document libraries, lists, folders and items for which the permission inheritance has been broken.

This script should be executed using a SharePoint 2010 Management Shell on one of the SharePoint servers in the farm with an account allowed to access all content.

this PowerShell script allows for resetting broken inheritance within a site collection. It will run through all subsites, lists, document libraries, folders and individual items, check if permission inheritance is broken and reset the inheritance.

This script will generate a tab delimited text file with all the documents present is in the given web application in SharePoint 2010. It will list the documents, the size of the document, the number of versions, the sie of the versions and the total size. This report will enable you to identify large files throughout an entire web application and identify those files that have many versions and are basically eating up all your storage.

This script locates all pages in an entire web application that uses connected web parts. the script runs through all the aspx pages in all document libraries of all sites in every site collection and checks if there are web part connections defined. If this is the case it will list the page and the provider and consumer web part title.

The script can easily be adapted to find specific web parts in an entire web application

This Powershell script allows you to synchronize an Active Directory custom attribute with the SharePoint 2010 user profile service application PictureUrl property. Usefull for companies that store picture url information in a custom attribute and want to replicate that information into SharePoint 2010. Normally this should be feasible by customizing the ForeFront Identity Manager used by the SharePoint 2010 User Profile Synchronization service, but this is not supported. The script can be easily customized to use a different extension attribute in Active Directory

Use this script in combination with a scheduled task on one of the SharePoint servers in the farm.

he following powershell script will allow you to identify site collections where a given webpart is used. Very usefull during migrations when you have identified the web parts that cannot be upgraded and need to know where they are used. The script allows you to specify a scope of webapp or site collection to go through and look into the web part gallery to check if the web part is present.

Prerequisites for this script is having Powershell 2.0 deployed on the SharePoint 2007 server.

This post describes the implementation of rule based Active Directory groups (RBAG’s), maintained by a custom PowerShell script. The need for such rule based groups can vary. For example maintaining an Active Directory group that holds all members of a specific department can be challenging when no identity management system is available in the company. Hence the creation of this PowerShell script. The script allows for updating Active Directory groups based on a LDAP filter configured on specific Active Directory Groups.

Exciting days with the release of SharePoint 2013 beta. First thing i noticed on a setup on one of my servers, is that you do no longer see the option to sign in as a different user. Apparently the link is either missing or has willingly been removed from the UI. A little comparison with a SP2010 environment shows that the actual link for signing in as a different user is /_layouts/closeConnection.aspx?loginasanotheruser=true.

Fortunately the link still works in SP2013, which might make me believe that the link has just been forgotten adn will probably be back in the RTM release. If not, I guess the very first customization a lot of customers will ask for is to have the button back in the User menu.

Came across troubleshooting an issue with a site collection with the name bin. This site collection had a url like http://portal/sites/bin, making the default homepage http://portal/sites/bin/default.aspx. For some reason the site did not render and I got a HTTP 404 error. After analysis of the ULS logs not showing any trace of the request and the analysis of the IIS logs, I wnet looking for an answer on the interwebz. Stumbled upon the following article from Russ Michaels : http://www.michaels.me.uk/post.cfm/iis7-blocks-viewing-access-to-certain-folder-names

As it appears IIS 7 blocks access to urls where /bin/ is present in the Url.

The solution to this problem is to rename the site collection or remove the exception in the web.config of your web application as suggested by Russ.

I prefer the web.config approach on the web application level by adding the following section:

Notice: the information in this post is not supported by Microsoft. The use of the method described below will revoke your support status for your environment. Use at your own risk

This question came up today and I remembered being able to change this for MOSS by changing the content database so I wondered if it would still work in SP2010.

Well, actually it does ….

The article I used as a source for MOSS can be found at http://sharepointlearn.blogspot.com/2008/12/changing-language-of-existing.html

the only change to the original article is that the Table name has changed in SP2010. Here is the updated information:

The language of the site is stored at SP Web level. It is stored in database in the AllWebs table. So you need to change the language in database whatever language you want. To change the language in database you need to fire following Query:

For changing the language of all sites in to ‘Dutch’ language:
UPDATE dbo.AllWebs SET Language = 1043

Changing the language of one site collection: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE SiteId = [[SiteCollectionId]]

Changing the language of a single web or subsite: (Dutch language)
UPDATE dbo.AllWebs SET Language = 1043 WHERE Id = [[WebId]]

Note:
Before applying the new language, you need to verify that the language pack for the language that you want to apply is installed on your machine or not.

if you are serious about to publish an internet facing SharePoint site you have to consider security. One of the first things a possible hacker will inspect are the HTTP Response Headers. I usually use the Firefox Developper toolbar to check the HTTP Response Headers of my SharePoint sites. (Information Menu -> View Response Headers)

Now, what I needed removing was all the SharePoint stuff, the ASP.NET stuff and the server information (marked in bold). Luckily I was not the first guy out there to do so and I used Stefan Goßner’s post (http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx) as a lead to achieve what I wanted.

I ended up creating a custom HttpModule for removing the excess information in combination with adding a section to the web.config for the custom Headers added by SharePoint as they were not removed by the HttpModule after my initial testing.

Actions performed:
1. Create a folder named App_Code in the IIS folder of the SharePoint site where the headers need to be removed
2. Create a file with notepad named CustomHttpModule.cs
3. Edit with notepad:

One remark though if you implement this. Removing the header MicrosoftSharePointTeamServices may break your search crawling. In my case I usually dedicate a web front end for crawling or have the Web application role activated on the crawler. Evidently this web front end does not get the custom httpmodule.